Kicked from RubyGems, maintainers forge new home at Gem Cooperative

A team including maintainers removed without notice from the RubyGems.org project has formed the Gem Cooperative and created a new gem server called gem.coop, compatible with RubyGems.

Martin Emde, one of the previous maintainers, said Ruby developers can immediately switch to the new server, although publishing gems is not yet possible. Gems (packages for Ruby) published to RubyGems.org are immediately available from gem.coop. The team includes Ellen Dash, whose post last month was the first to report on the maintainer crisis.

Governance for the cooperative is a work in progress, which Emde said will be released later this week. Mike McQuaid, project lead of Homebrew, a Mac package manager written in Ruby, is assisting with this. McQuaid previously attempted to mediate (without success) between the maintainers and Ruby Central, the organization that hosts RubyGems and decided to remove external maintainers from the project.

The creation of the Gem Cooperative follows an open letter calling for Rails, the popular application framework for Ruby, to be forked in order to free the project from its creator, David Heinemeier Hansson, because of what the letter claims are his "racist and transphobic views."

Signatories to the open letter, called Plan Vert, include Tim Bray (co-author of the XML specification), Jeff Atwood (co-founder of Stack Overflow and Discourse.org), and Eugen Rochko (creator of the Mastodon decentralized social network). Mastodon is built with Ruby on Rails.

Hansson opposed the letter on X, calling it "this dumb letter" that was "never going to go anywhere," among other comments and retweets on the subject.

• Open source to closed doors: RubyGems control fight erupts
• RubyGems maintainer quits after Ruby Central takes control of project
• RubyGems now requires multi-factor auth for top package maintainers
• RubyGems polishes security practices with multi-factor authentication push

Shan Cureton, executive director of Ruby Central, posted about why the organization had acted to take full control over key Ruby code repositories including RubyGems and Bundler (a widely used package dependency manager), claiming it was done for security reasons.

"Ruby Central is responsible for the security, maintenance, and availability of the RubyGems services... to meet that duty of care, privileged access and operational decisions must align under a single, accountable stewardship model from codebase to production," Cureton wrote.

Joel Drapper, formerly of Shopify (a key sponsor of Ruby Central), stated that "the takeover of the RubyGems GitHub organization and gems was not required to meet Ruby Central's legal obligations... Ruby Central was in full control of what source code it deployed to the RubyGems.org Service which it operated." He added that claiming ownership of open source code because you operate a service that runs it is "like claiming you own Rails because you have a Rails app."

André Arko, another excluded maintainer who worked for 15 years on Bundler and founded Ruby Together (now merged with Ruby Central), said: "In the last few weeks, Ruby Central has suddenly asserted that they alone own Bundler. That simply isn't true." Arko said that he owns the Bundler trademark and will not license it, though "Ruby Central is welcome to the code, just like everyone else." Arko intends to transfer the trademark in future to a Ruby organization that is "accountable to the community." ®